Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users with read-only access to a library should not be able to tag components #1376

Closed
pomegranited opened this issue Oct 10, 2024 · 2 comments · Fixed by #1362
Closed

Users with read-only access to a library should not be able to tag components #1376

pomegranited opened this issue Oct 10, 2024 · 2 comments · Fixed by #1362
Labels
bug Report of or fix for something that isn't working as intended

Comments

@pomegranited
Copy link
Contributor

Acceptance Criteria

Users with read-only access to a library:

  1. Can view the tags added to components in the library.
  2. Cannot see any "Add tags" buttons in the Content Tags Sidebar.
  3. Cannot see the "Manage Tags" button in the Content Tags Sidebar.

Currently, read-only users can try to add tags, but get 403 errors from the backend on Save.

This will require backend changes too.

Background

The can_tag_object permission is dependent on the taxonomy + object ID, and so "Manage Tags" should be shown if the user can_tag_object for any of the available taxonomies.

But, we're getting our list of available taxonomies and tags from the /api/content_tagging/v1/taxonomies/?enabled=true&org=<org_name> REST endpoint, which doesn't take an Object ID. And so we can't check whether the user is allowed to tag this particular object with the returned taxonomies. So this endpoint returns taxonomies with can_tag_object = True, because it's true that the user can use these taxonomies in general, just not on this particular object.

Suggested approach

  1. Update the /taxonomies endpoint to take an optional object_id, and use that to determine the can_tag_object permission.
  2. Update the Authoring MFE to pass object_id into the /taxonomies endpoint -- this should fix point [BD-03] [BB-2542] ]Add discussions configuration UI wireframe in MFE #2.
  3. Update the Authoring MFE to aggregate the can_tag_object permissions for all the taxonomies, and if none are True, hide the Manage Tags button in the sidebar.
@pomegranited pomegranited added the bug Report of or fix for something that isn't working as intended label Oct 10, 2024
This was referenced Oct 10, 2024
Closed
Merged
@bradenmacdonald
Copy link
Contributor

@pomegranited CC @ChrisChV Your suggestions make sense, but isn't it simpler just to change the <ContentTagsDrawer> component so it takes a readOnly boolean, and when the library is read-only (as we already know on the frontend), we pass that parameter? Then the tags widget will hide the Manage/Add buttons, without bothering to "listen" to what the backend is saying.

I don't think we have to worry about a situation where some taxonomies are read-write and others are read-only.

@pomegranited
Copy link
Contributor Author

@bradenmacdonald Ah yes, that would be simpler. :) I think I can fix that as part of #1342.

@pomegranited pomegranited moved this to In Progress in Libraries Overhaul Oct 11, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Libraries Overhaul Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Report of or fix for something that isn't working as intended
Projects
Libraries Overhaul
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

UI to manage users/permissions for the content libraries [FC-0062] open-craft/frontend-app-authoring
2 participants
@bradenmacdonald @pomegranited